back to article VXers Shellshocking embedded BusyBox boxen

Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says. Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and …

  1. Hans 1 Silver badge

    >Most Fortune 1000 organisations patched ShellShock when fixes became available in September due to the high risk it posed.

    Except devices running busybox, because these were not supposed to be affected, iirc.

    1. Flocke Kroes Silver badge

      Bash + Busybox

      Putting both on an embedded system would be surprising, but not difficult. Busybox is a single program containing cut down versions of commands you select from an extensive list that includes alternatives to bash. It can be static linked, which saves space when there are only one or two separate programs. Bash has lots of handy features that were added for people's convenience without worrying much about how much space they require.

      Storage is so cheap that using bash + coreutils + the full version of anything in crammed into busybox + all the required shared libraries will still fit into a really cheap flash chip. Despite that, I found no copies of bash on any embedded system I use.

      The ease of exploitation and the damage an embedded system can do make it worth checking to see if any use bash. If you find one, please speak up. Somewhere on this planet there must be at least one embedded system vulnerable to shellshock. A vPint to the fellow commentard who finds it.

      1. Robin Bradshaw

        Re: Bash + Busybox

        Flocke Kroes Im probably wrong but my understanding from the article is that they seem to be using one shellshock vulnerable device as a beachead from which to launch brute force login attacks against other devices on the same network as the shellshocked device, not that busybox itself is vulnerable.

        I looked into the idea of pivoting from one device onto an internal network in a vaguely similar way using a web browser and javascript xmlhttprequests to spam shellshock payload onto the browsers internal lan: to demonstrate to a friend their device might not be safe.

      2. heyrick Silver badge

        Re: Bash + Busybox

        @ Flocke: How does one tell easily if the command processor is bash?

        1. channel extended

          Re: Bash + Busybox

          Open a terminal, type "help", no quotes. Then <enter>. You will get a lot of text, but at the top there will be the information you need.

  2. MJI Silver badge

    You do know that?

    This is a time some Vauxhall Owners use for themselves

    1. Steven Raith
      Thumb Up

      Re: You do know that?

      Hey, I make the atrocious car puns/analogies around here...

      Steven R

  3. James 47


    are poeple still using this stupid phrase?

    1. Anonymous Dutch Coward

      Re: boxen???

      Yes, I think poeple still use the word...

      1. NogginTheNog

        Re: boxen???

        Would they be poedoes?

  4. thames

    Shellshock in Busybox???

    The story is poorly written. From other sources what appears to be happening is that miscreants are looking for unpatched systems that are vulnerable to shellshock, and then taking over those to use as a platform from which to launch password guessing attacks on other systems.

    Of course if your password is "1234" or "password", then those systems are vulnerable to a password attack from any source. In addition, if you had a system which was vulnerable to shellshock (many weren't) and haven't patched for it, then lots of different things can be done to it.

    In other words, there is no shellshock in Busybox, but weak passwords can be a problem (surprise, surprise).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019